How to make captive portal work withought a Layer 3 interface on controller

Answer- Captive portal is a layer3 authentication method. In order to make it work in a layer 2 deployment environment, we need to make sure the controller have layer3 reachability to the client. This can be achieve by 2 ways:1: configure an IP address on the client vlan(this is not a layer2 deployment in some sort. However, since this IP is not the client default gateway, the packet is still pass through the controller. It still layer2 from datapath perspective) When the controller send out the syn-ack, it knows that the client is reachable locally and will do ARP and sent out the packet.2: Enable ‘firewall allow-tri-session’ command. Please check the example below:Topology:

The client is on vlan 2. the controller doesn’t have an IP address for vlan 2 interface. The controller has an IP address on vlan 3 and it’s the vlan that will do routing between controller and router.Without the ‘firewall allow-tri-session’ command:=====================================1:client do the dns lookup and resolve the IP.2: The client send out the SYN packet to the resolved IP. The packet reach the controller through GRE tunnel. The controller will reply with ‘SYN-ACK’ on behalf of the real destination. Since the controller doesn’t have an IP on the client vlan, the controller will do route lookup and send out the packet to the router on vlan 33:On the router, it has the client vlan 2 and controller vlan 3. so the router will do route lookup, find the client is on it’s local vlan 2, then it will ARP. The ARP reach the controller, controller send it to the client (since it’s a bcast). Client reply, controller send it back to the router. The router will know in order to reach the client, the packet should be sent to the controller but on vlan 2.4:the controller receives the packet. Since the controller doesn’t allow the tri-session(not sure how to explain this here. Could because the controller will only allow session to be initiated by the user not from the internet so it will drop it), it will drop the packet.Here’s the example of the ‘show datapath session table ‘ output: